BLACK HAT USA – Las Vegas – Wednesday, Aug. 9 Security teams looking to justify more cyber investment to the powers that be have good arguments to make these days: They can, for instance, make the case that realizing digital opportunities requires cybersecurity hardening and that, more and more, customer trust hinges on having a strong cybersecurity focus.
Speaking at the Omdia Analyst Summit at the Black Hat conference in Las Vegas, Omdia senior analyst Maxine Holt acknowledged that organizations struggle to invest in remaining secure, compliant, and resilient, particularly with new attack techniques developing and increased volumes of attempted breaches, along with staffing shortages.
Yet, "organizations must be continuously available [to customers] despite these security challenges," she said. "They must also be available to take advantage of digital opportunities."
She added that when it comes to making the case for additional investment, "it's kind of a carrot and a stick thing: The sticks are the cyberattacks, and the carrots are the digital opportunities that can help an organization better service customers."
Be the Most Trusted Entity for All
Holt said organizations want to avoid being the subject of the next headline and want to be trusted by their customers and partners as well as literally anywhere that they engage. She said there should be a Golden Rule consideration: Deal with data on others as you would expect others to deal with data held about you.
"Our organizations want to be trusted, whether you're private whether you're public, whether you're for profit or not," Holt said. She cited Walmart as an example, adding that the retail giant has invested millions of dollars on cybersecurity over the past decade, and as a result, is now pitching itself as the world's most trusted retailer. Not the most secure, she stresses — but the most trusted.
Another consideration here is that organizations are still looking to get a return on their security investment, and this is part of embracing more digital opportunities. Holt said that owners commonly believe that their organizations are secure, and cybersecurity is viewed as a commodity. However, some departments are making the case that it's impossible to go after digital transformation without a corresponding focus on cybersecurity. "We are seeing more organizations look for a return on their security investment to build the case for more investment in cybersecurity," she explained.
Holt said the best outcome for a return on security investment is when there are no incidents or breaches, but this rarely gets the CFO excited. "Innovation is the opportunity," Holt said, "and the investment in security could result in the organization being more competitive in the market."
An Evolution to Continuous Cybersecurity
Holt concluded by saying that in order to be effective, cybersecurity must evolve from a tick-the-box approach into a more continuous management of the cyber environment — but that implementing that realistically takes C-suite buy-in, so security teams need to start advocating for what they need.
"The organization must pay close attention because resilience is a business objective," Holy said, "and you cannot have business resilience without a balance of security resilience."
Holt said that by positioning cybersecurity as a key component of managing and sustaining the organization's growth, it could come to be seen as a core component of the business — one that supports customers, and the delivery of products and services.
"An organization cannot survive without basic solid cybersecurity," Holt said. "It can't thrive without a strong focus on cybersecurity; it is a key component of managing and sustaining the organization."